Detecting Attempts to Change Memory

1. A method for detecting attempts to change memory by a group of instructions comprising: during a trial period: temporarily marking as read-only a memory page that includes a memory location to be observed; catching an exception when an instruction attempts to write to the marked memory page; in response to the instruction attempting to write to the memory location to be observed, storing an identifier of the instruction in a watch list, wherein the identifier uniquely identifies the instruction based on a memory address from which the instruction is fetched; subsequent to the trial period: marking the memory page writable; and detecting attempts, based on the watch list, to execute the identified instruction.

2. The method of claim 1 , further comprising determining the memory locations to be observed by traversing a data structure, wherein the memory location to be observed is occupied by the data structure.

3. The method of claim 1 , wherein the marking as read-only the memory page comprises marking an entry for the memory page as read-only in a hardware page table.

4. The method of claim 1 , wherein the identifier comprises an extended instruction pointer.

5. The method of claim 1 , wherein the instruction is executed through binary translation and the detecting of the attempts to execute the identified instruction comprises detecting in binary translation attempts to execute the instruction.

6. The method of claim 1 , wherein the detecting of the attempts further comprises: subsequent to the unmarking, executing the instruction; and recognizing execution of the instruction on the basis of the stored identifier.

7. The method of claim 6 , wherein the instruction is recognized in binary translation.

8. The method of claim 7 , further comprising responsive to detecting an attempt to execute the instruction, executing a translation of the instruction.

9. The method of claim 1 , wherein the memory location is occupied by a frame list topology.

10. The method of claim 9 , wherein the frame list topology comprises a URCI frame list topology, an ERCI frame list topology, or an ORCI frame list topology.

11. The method of claim 1 , wherein the memory page is in virtual memory and the detecting is performed by a virtualization layer.

12. The method of claim 11 , wherein the instruction comprises an instruction of a guest operating system executing in a virtual machine.

13. The method of claim 12 , wherein the instruction belongs to a device driver of the guest operating system.

14. The method of claim 1 , further comprising: in response to the exception, identifying the instruction prior to storing of the identifier of the instruction.

15. A method for monitoring a data structure in memory for changes, the method comprising: identifying a plurality of memory locations that are occupied by the data structure; learning which instructions of a first software entity are responsible for updating the data structure by marking as read-only memory pages that include the plurality of memory locations, thereby triggering a exception when an attempt is made to write to the data structure, and recording in a watch list identifiers of each instruction that triggers the exception when writing to the memory locations occupied by the data structure, wherein a respective identifier uniquely identifies the corresponding instruction based on a memory address from which the instruction is fetched; removing the read-only marking from the memory pages after a selected number of the instructions of the first software entity are identified through the learning, the removing includes marking the memory pages writable; unmarking as read-only the memory pages previously marked; and notifying a second software entity that instructions that write to the memory locations occupied by the data structure were executed thereby indicating that the data structure might have been modified by the first software entity.

16. A non-transitory machine readable medium embodying computer instructions causing a processor to perform a method for monitoring a data structure in memory for changes, the method comprising: identifying a plurality of memory locations that are occupied by the data structure; learning which instructions of a first software entity are responsible for updating the data structure by marking as read-only memory pages that include the plurality of memory locations, thereby triggering a exception when an attempt is made to write to the data structure, and recording in a watch list identifiers of each instruction that triggers the exception when writing to the memory locations occupied by the data structure, wherein a respective identifier uniquely identifies the corresponding instruction based on a memory address from which the instruction is fetched; unmarking as read-only the memory pages previously marked after a selected number of the instructions of the first software entity are identified through the learning, the unmarking includes marking the memory pages writable; and subsequent to the unmarking, detecting execution of any of the instructions identified in the watch list, and notifying a second software entity that instructions that write to the memory locations occupied by the data structure were executed thereby indicating that the data structure might have been modified by the first software entity.

17. The medium of claim 16 , wherein the first software entity is a guest operating system executing in a virtual machine and the second software entity is a virtual controller.

18. A method for detecting attempts to change memory by a group of instructions comprising: identifying an instruction that writes to memory locations to be observed, the identifying including temporarily marking as read-only a memory page that includes the memory locations to be observed, thereby causing an exception when an attempt is made to write to the marked memory page, and in response to the exception caused by the attempt to write to the marked memory page, determining if the memory locations to be observed share memory pages with other memory locations and upon determining that the instruction that triggered the exception is not attempting to write to a location in the other memory locations, storing an identifier of the instruction that triggered the exception in a watch list, wherein the identifier uniquely identifies the instruction based on a memory address from which the instruction is fetched; and detecting attempts, using the stored identifier, to execute the identified instruction.